Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams.
The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations.
Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.
Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said.
The collection of law enforcement agencies who coordinated their efforts in Operation reWired is a who’s who list: besides the DOJ, it included the US Department of Homeland Security (DHS), the US Department of the Treasury, the US Postal Inspection Service, the US Secret Service, and the US Department of State. Deputy Attorney General Jeffrey Rosen also gave a shout-out to the FBI, as well as to more than two dozen US Attorneys’ Offices, the Internal Revenue Service’s (IRS’s) Criminal Investigation unit, state and local law enforcement partners in the US, and law enforcement partners in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the UK.
All together, their work resulted in more than 214 domestic actions: besides the arrests, that included warning letters sent to money mules. There were a number of alleged money mules arrested for allegedly helping to rip off people and businesses, as well.
These are just a few of the suspects who were arrested, who their alleged targets were, and how much money the Feds managed to freeze:
- Brittney Stokes, 27, of Country Club Hills, Illinois, and Kenneth Ninalowo, 40, of Chicago, Illinois, were charged with laundering over $1.5 million in BEC scam money. According to the indictment, a community college and an energy company were defrauded into sending about $5 million to bank accounts controlled by the scammers. Banks were able to freeze around 3.6 million of the $5 million defrauded in the two schemes. Police seized a 2019 Range Rover Velar S from Stokes and approximately $175,909 from Stokes and Ninalowo.
- Opeyemi Adeoso, 44, of Dallas, Texas, and Benjamin Ifebajo, 45, of Richardson, Texas, were arrested and charged with bank fraud, wire fraud, money laundering, and conspiracy. Adeoso and Ifebajo are alleged to have received and laundered at least $3.4 million and to have assumed 12 bogus identities to defraud 37 victims from across the US.
- Yamel Guevara Tamayo, 36, of Miami, Florida, and Yumeydi Govantes, 39, also of Miami, were charged with laundering more than $950,000 in BEC scam money. They’re also allegedly responsible for recruiting about 18 other people to work as money mules, who in turn allegedly laundered proceeds of BEC scams for an international money laundering network. They allegedly went after title companies, corporations, and individuals.
- Two individuals were charged in the Northern District of Georgia for their alleged involvement in a Nigeria-based BEC scheme that began with a $3.5 million transfer of funds fraudulently misdirected from a Georgia-based healthcare provider to accounts across the US. Two Nigerians – Emmanuel Igomu, 35, of Atlanta, Georgia, and Jude Balogun, 29, of San Francisco – were arrested on charges of aiding and abetting wire fraud for their alleged part in receiving and transmitting BEC money.
- Cyril Ashu, 34, of Austell, Georgia; Ifeanyi Eke, 32, of Sandy Springs, Georgia; Joshua Ikejimba, 24, of Houston, Texas; and Chinedu Ironuah, 32, of Houston, Texas, were charged in the Southern District of New York with one count of conspiracy to commit wire fraud and one count of wire fraud for their alleged part in a Nigeria-based BEC scheme that affected hundreds of victims in the US, with losses in excess of $10 million.
What’s a BEC scam?
These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments.
As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.
Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams.
And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise.
BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above.
(Watch directly on YouTube if the video won’t play here.)
These scams are getting increasingly sophisticated, and they’re raking in ever more loot. From the FBI’s 2018 Internet Crime Report:
In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.
The report also said that the FBI had received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year: more than double the amount lost as a result of such scams during the previous year.
Also on Tuesday, the FBI put out an updated set of figures that show that between October 2013 and July 2019, $26.2 billion has been lost to BEC scammers. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses, the FBI said – an increase due in part to greater awareness of the scam. which has in turn encouraged more reporting.
They’re coming for payroll
The FBI said that the crooks are increasingly going after payroll funds. It’s seen a spike in spoofed emails sent to companies’ human resources or payroll departments. The emails look like they’re coming from employees requesting a change to their direct deposit account – a tweak to a related scheme, in which a crook gains access to an employee’s direct deposit account and alters the routing to another account.
Typically, the crooks are directing the funds toward pre-paid card accounts.
The FBI had these tips, specifically aimed at helping employees to avoid these payroll scams:
- Use secondary channels or two-factor authentication (2FA) to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII in response to any emails.
- Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.
- Keep all software patches on and all systems updated.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s purportedly coming from.
- Ensure the settings on employees’ computers are enabled to allow full email extensions to be viewed.
What else to do
Report it!
Like the FBI says, the skyrocketing statistics related to BEC fraud incidents and losses are due at least in part to increased awareness and reporting.
Of course, law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.
In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?
rrogers31
I was thinking about sending this article to a recent acquaintance on a dating site. Since she is a female I don’t think the leading “nakedsecurity” is going to go over well. Is there a possibility for a different (perhaps shorter) link?
Paul Ducklin
https://wp.me/p120rT-1U5t
(WP is for WordPress, where Naked Security is hosted. We are Naked Security in the same way that Jamie Oliver is known as “The Naked Chef” and in the same way people talk about “the naked truth” – we strip cybersecurity back to jargon-free and unembellished basics so people can understand it.)
anonymous coward
For what it’s worth, I also do not share links to your articles, because of the word “Naked”.
In these days of sexual harassment scrutiny in the workplace — and the carryover effect into other spheres of public life — one can no longer afford to have reference to such a cheeky titled blog in one’s browser history or PowerPoint presentations.
I’ve taken to reading this blog only on a personal device; if I find a topic is worth sharing, I’ll search for coverage of it on other sites, then share that — all to avoid sharing “Naked” in public.
I also wouldn’t be at all shocked to learn that your engagement and readership statistics are impacted by the blog’s name, too. If the same topic is covered by CNET, verge, motherboard, and Naked Security, I’m confident that you’re losing audience to the other sites. Not because of the writing… because your writers are excellent… but because folks don’t want their bosses, parents, kids, colleagues, etc seeing “Naked” in their browser history.
Paul Ducklin
If you really think that people to whom you send article links might misconstrue the word “naked”, you can just replace…
nakedsecurity.sophos.com
…in the URL with…
sophosnews.wordpress.com
(The DNS entry for the former is in fact a CNAME for the latter. We don’t use sophosnews as the regular public facing name of this site because [a] this site isn’t really news about Sophos – it’s not specifically about products or the company and [b] we have a sister called Sophos News that is just that.)
anonymous coward
The URL you provided (sophosnews-dot-wordpress-dot-com) immediately resolves to the main form (nakedsecurity-dot-sophos-dot-com), bringing “Naked” back to the screen. That could be considered more offensive than linking to the latter, because no one likes surprises on the internet, e.g. short URL t-co or bit-ly links for Goatse (#1), or Rick rolling (#2).
Thank you for the suggestion.
#1 NSFW, shocking/obscene images. Wikipedia describes it well.
#2 https://nakedsecurity.sophos.com/tag/rick-astley/
Paul Ducklin
Never gonna give you up, never gonna let you down…
Never met anyone who landed on a Naked Security page and took offence because they thought they had reached a porn site. Never met anyone who actually took offence at the name, either. I think the nature of the site and what it contains is immediately and consistently obvious (as is the fact that you are on a Sophos site that includes news, albeit news in general rather than news about Sophos).
anonymous coward
Possibly it’s a cultural difference.
Here in the US, a small, but vocal, segment of society is agitating for the ruination of individuals and institutions who have ever been associated with ideas they find disagreeable (i.e. Twitter mobs, SJW mobs, idiot celebrities). The absence of any major catastrophe means these horrible crazies have plenty of time on their hands to “protest” and annoy.
In defense against it, an industry of consultants are advising people and institutions to avoid certain words, activities, and symbols that might catch the attention of the lunatic fringe.
It’s not that “Naked” instantly causes offense. It’s that it *might* cause offense and it’s safer to avoid it entirely, rather than catch the attention of the lunatic fringe or someone under their influence.
Paul Ducklin
And yet the thing is, I have never met anyone to whom it actually caused offence, or who was in any genuine way confused by the name. A few years ago, when there were still many half-baked web filtering solutions on the market that would do literal substring searches as a definitive way of ‘detecting badnesss’ (so that even words like anti-X would confuse them if X were something you wanted to block!) we used to get people who wished we’d change the name simply because it was blocked unintentionally at work. But I haven’t seen a complaint like that for quite a while now.
I’d argue – at least as passionately as you, and with at least as much actual evidence as you are presenting – that it’s better not to capitulate as you say we should. There are words I have happily dropped because they can reasonably be argued to have offensive origins – such as ‘whitelist’ and ‘blacklist’ (even if you ignore the ethnic implications, the latter word commonly refers to secretive and illegal anti-competitive behaviour used to exclude individuals from an industry). I have for many years tried to avoid he/she by writing in the plural, not least because the English singular third-person pronouns are a confusing oddity to many non-native speakers of the language, and because cybersecurity is essentially a multiplayer game anyway, so it’s about what *we* should do, rather than what *I* should do.
But if we drop “naked”, well, what next? We might find ourselves banning words like “globe” and “orbit” soon; we’ll might get cornered into avoiding phrases like “that conclusion has no statistical signifcance”; and so on.
Anyway. It’s not up to me to decide. You’ve had your say, and I’ve had mine, so let’s draw this thread to an end…
anonymous coward
Amen. Ha ha.
anonymous coward
This is why widespread corporate data collection is not simply a privacy issue. There are folks who say they don’t care who knows when they’re out of town, their preferences, the names of their contacts, or what they look like. What they fail to recognize is that thieves are watching. Inevitably data about you will be leaked or hacked or bought, which facilitates real crimes against you, your family, your communities, your financial systems, and your countries. It’s not enemies looking to exploit your data for espionage, it’s gangs, cartels, con men, and con women.
Billetdoo
We are advised that two factor authorisation is a powerful preventative measure to fraud. All the guidance in this article advocates technical measures yet none of these include the obvious and most reliable. For goodness sake, just pick up the phone and speak to the supposed sender of the mail or directive and verfify if they sent it! Simples
Paul Ducklin
SURE, BUT NEVER USE A PHONE NUMBER FROM THE EMAIL!
As an aside, the problem with ‘picking up the phone’ is that it isn’t as reliable, or as easy, as you suggest – and it’s surprisingly easy for BEC scammers to exploit that. If they’re an insiders in the email system of one end of the transaction, they know enough about the business to work their demands around things like absences, global travel, vacations, working hours and more. Have you ever tried just picking up the phone and calling a CFO? Good luck with that. You’ll probably get an executive assistant. Do you know what they sound like? Do you know what they look like? Do you even know what their name is? Probably not…
…but the crooks probably *do* know at least two of those three things. The crooks know how that person signs off emails; they know the way they write; they know the hours they work; and better yet, they know exactly when to be most vigilant against people ‘picking up the phone’ to cross-check for fraudulent instructions, precisely because they sent the fraudulent instructions in the first place.
(I don’t disagree that a phone call migh easily expose a fraud in minutes, so I agree with your advice – provided that you don’t take a neutral or positive outcome from the call as ‘proof’ all on its own. It’s ike the padlock in your browser – it there isn’t one, you can assume the link you clicked is a phish; but if there is, you are not much better off and need to take further validation steps.)